CVE-2026-34779: AppleScript Injection in Electron ≤38.8.6
Plattform
nodejs
Komponente
electron
Behoben in
38.8.6
CVE-2026-34779 describes an AppleScript injection vulnerability in Electron on macOS. Specifically, `app.moveToApplicationsFolder()` used an insecure AppleScript fallback that didn't sanitize the application bundle path, potentially leading to arbitrary script execution if a user accepted the move prompt. This impacts applications that call `app.moveToApplicationsFolder()`. The vulnerability is present in Electron versions up to 38.8.6 and is fixed in versions 41.0.0-beta.8 and 40.8.0.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34779?
CVE-2026-34779 is an AppleScript injection vulnerability in Electron's `app.moveToApplicationsFolder()` on macOS, allowing arbitrary script execution via a crafted application path.
Am I affected by CVE-2026-34779?
You are affected if your Electron application on macOS calls `app.moveToApplicationsFolder()` and uses Electron version 38.8.6 or earlier. Apps not using this API are not affected.
How do I fix CVE-2026-34779?
Upgrade to Electron version 41.0.0-beta.8 or 40.8.0, which contain the fix for this vulnerability. There are no app-side workarounds available.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten